Did Credit Card Scammer War Drive?
from the evidence-please? dept
There's a story making the rounds this morning about a teenager being charged with credit card fraud. He apparently got credit card numbers somehow, made up fake cards, and gave them to people to buy stuff. What's unclear, however, is how he got the card numbers. The article claims: "They believed that he was gathering credit card numbers online or parking in residential neighborhoods and capturing wireless transmissions of financial information on his laptop." Gathering credit card numbers online is fairly common, but the claim that he was getting them via wireless networks deserves more scrutiny. It is certainly possible, but it's pretty difficult. Even if your WiFi network is unprotected, most websites that require a credit card entry will use encryption, meaning he should not have been able to get the card numbers that way. Because the press seems to really like writing up stories about war drivers stealing credit cards, it's only a matter of time until this aspect of the story gets more attention -- but there should be a little more evidence to show that he actually obtained credit card numbers this way, and an explanation of how that happened if people were using sites that used encryption.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Probably easier than you think.
When this happens, the client does get a warning box from their browser saying that it couldn't verifiy the SSL certificate of the server, but how often do you think people are willing to click "Ok" to a warning box that they don't understand? Probably more often than anybody would like to admit. Once the user clicks ok, the "encrypted" session goes on unhindered with the eavesdropper listening in to everything being said.
People don't understand the gravity of certificate-verification warning boxes. If your browser isn't able to verify a SSL certificate with a central authority, then the chain of trust is broken and any claims to security are null and void.
[ link to this | view in thread ]
No Subject Given
I won't name the restaraunt, but while there and waiting for a table, they had that nights receipts on the table where the hostess sits and in plain sight were receipts with full credit card numbers along with expiration dates. One shot with a camera phone and those people would have been screwed.
Unfortunatley, a lot of the press are brain dead in terms of technology and have no right to be talking about it, but this stuff does happen.
Another scenario is when people hold out their credit cards while in line waiting to pay, a simple, indiscreet capture of that, again with a camera phone or other type of device and gone.
[ link to this | view in thread ]
Camera Phone theory
While I'll agree with you that # stealing is eas & usually doesn't have to rely on technology ... the camera phone theory has already been shot down.
Somebody got the links ?
[ link to this | view in thread ]
Re: Camera Phone theory
http://www.techdirt.com/articles/20041223/1438218.shtml
Yeah, that cameraphone story isn't true. So far, there aren't many cameraphones out there good enough to snap a photo of credit card numbers. However, it could be an issue at some point, though you hope, by then, people are smart enough to notice someone fiddling with their phone nearby.
[ link to this | view in thread ]
Residential neighborhoods?
- ask
[ link to this | view in thread ]
Possible, and relatively easy
Rather than a fancy SSL man-in-the-middle attack, just connect to the (likely unsecured) wifi and install a browser helper (on the likely insecure PC) that keylogs whenever an interesting site is accessed. Come back a month or two later, get the logs, and wipe out the keylogger.
For the finishing touch, use the victim's own wifi network to connect to the bank and drain his account. The logged IP (that of the router/firewall) would belong to the victim.
[ link to this | view in thread ]
Re: Possible, and relatively easy
Er... what are you installing a keylogger on? Even if you can get on an average WiFi network, it's much less likely you'll get access to someone's computer.
[ link to this | view in thread ]
Re: Possible, and relatively easy
If we assume those users took a minimal set baseline steps to secure their PCs (e.g. rename administrator account, use non-dictionary passwords, enable account lockout on invalid passwords, configure the event log to audit logon failures...) then you are correct. But, if someone's access point is blinking 12:00, how sophisticated is that end-user?
[ link to this | view in thread ]